# https://raw.githubusercontent.com/projectcalico/calico/v3.28.0/manifests/calicoctl.yaml
# Calico Version master
# https://projectcalico.docs.tigera.io/releases#master
# This manifest includes the following component versions:
#   calico/ctl:v3.28.0

apiVersion: v1
kind: ServiceAccount
metadata:
  name: calicoctl
  namespace: kube-system

---

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: calicoctl
rules:
  - apiGroups: [""]
    resources:
      - namespaces
      - nodes
    verbs:
      - get
      - list
      - update
  - apiGroups: [""]
    resources:
      - nodes/status
    verbs:
      - update
  - apiGroups: [""]
    resources:
      - pods
      - serviceaccounts
    verbs:
      - get
      - list
  - apiGroups: [""]
    resources:
      - pods/status
    verbs:
      - update
  - apiGroups: ["crd.projectcalico.org"]
    resources:
      - bgppeers
      - bgpconfigurations
      - clusterinformations
      - felixconfigurations
      - globalnetworkpolicies
      - globalnetworksets
      - ippools
      - ipreservations
      - kubecontrollersconfigurations
      - networkpolicies
      - networksets
      - hostendpoints
      - ipamblocks
      - blockaffinities
      - ipamhandles
      - ipamconfigs
    verbs:
      - create
      - get
      - list
      - update
      - delete
  - apiGroups: ["networking.k8s.io"]
    resources:
      - networkpolicies
    verbs:
      - get
      - list

---

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: calicoctl
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: calicoctl
subjects:
- kind: ServiceAccount
  name: calicoctl
  namespace: kube-system

---

kind: DaemonSet
apiVersion: apps/v1
metadata:
  name: calicoctl
  namespace: kube-system
spec:
  selector:
    matchLabels:
      k8s-app: calicoctl
  template:
    metadata:
      labels:
        k8s-app: calicoctl
    spec:
      serviceAccountName: calicoctl
      hostNetwork: true
      hostPID: true
      tolerations:
      - operator: Exists
        effect: NoSchedule
      containers:
      - name: calicoctl
        image: {{ calicoctl_image }}
        stdin: true 
        tty: true 
        command:
          - calicoctl
        args:
          - version
          - --poll=1m
        volumeMounts:
        - name: var-run-calico
          mountPath: /var/run/calico
        - name: var-run-bird
          mountPath: /var/run/bird
        env:
        - name: DATASTORE_TYPE
          value: kubernetes
      volumes:
      - name: var-run-calico
        hostPath:
          path: /var/run/calico
      - name: var-run-bird
        hostPath:
          path: /var/run/bird